Privacy Policy

Glossy Finish, LLC ("Company," "we," "us," or "our") operates the Templified platform and website (the "Service"). This Privacy Policy describes how we collect, use, and share information about you when you use the Service.

1. Information We Collect

Information You Provide

• Account Information: When you sign in via Google OAuth, we receive your name, email address, and profile picture from Google.
• Content: Templates, images, data fields, and other content you create or upload through the Service.
• Payment Information: If you purchase a paid plan, our payment processor (Stripe) collects your billing details. We do not store your full credit card number.
• Communications: Information you provide when you contact us for support or other inquiries.

Google Sign-In

We use Google OAuth solely to authenticate you and identify your account. We request the minimum scopes required (openid, email, profile) to obtain your name, email address, and profile picture. We do not request or access Gmail, Drive, Calendar, Contacts, or any other Google user data. Google profile information is used only for authentication and account display, and is not sold or shared with third parties for advertising.

Information Collected Automatically

• Usage Data: Pages visited, features used, render history, API calls, timestamps, and interaction patterns.
• Device Information: Browser type, operating system, screen resolution, and device identifiers.
• Log Data: IP address, access times, referring URLs, and error logs.
• Cookies: We use essential cookies for authentication and session management. We do not use advertising or tracking cookies.

2. How We Use Your Information

We use the information we collect to:

• Provide, maintain, and improve the Service.
• Process your templates and render images on your behalf.
• Manage your account and authenticate your identity.
• Process payments and manage subscriptions.
• Send transactional emails (account confirmations, billing receipts, security alerts).
• Monitor and analyze usage trends to improve the Service.
• Detect, prevent, and address fraud, abuse, and security issues.
• Comply with legal obligations.

3. How We Share Your Information

We do not sell or rent your personal information, and we do not use your data to train machine-learning models. We share data only with the subprocessors listed below, and only as needed to deliver the Service.

Subprocessors

• Amazon Web Services (AWS): Hosting, compute, storage (S3), database (RDS PostgreSQL), email delivery (SES), and identity (Cognito). United States.
• AWS Rekognition: Face and label detection performed on photos you upload, used to compute composition (e.g., automatic face placement) before rendering. Photo bytes are sent to Rekognition for analysis; Amazon's terms prohibit use of customer images to train Rekognition models, and detection metadata returned to us (bounding boxes) is stored alongside the source photo.
• PerfectlyClear (Athentech Imaging, Inc.): Optional background-removal and photo-enhancement processing. When you trigger background removal on a photo, the photo is sent to PerfectlyClear's API; the processed image is returned and stored in your account. PerfectlyClear does not retain customer images after processing, per their service terms.
• Stripe, Inc.: Payment processing, card storage, and merchant-initiated auto-refill charges. Stripe collects and stores your payment card details directly; we receive and store only a payment-method identifier and the last four digits.
• Google LLC: Authentication via Google OAuth (name, email, profile picture). No other Google services accessed.
• Sentry (Functional Software, Inc.): Error monitoring and performance tracing. May incidentally collect IP address and user-agent alongside crash reports; we configure Sentry to scrub URLs, request bodies, and other potentially sensitive data.
• Dropbox, Inc. (optional): If you connect a Dropbox integration, we access only the files and folders you explicitly grant via Dropbox's OAuth consent screen. Tokens are encrypted at rest.
• Cloudflare / AWS CloudFront: Content delivery and DDoS protection.

We may also disclose information when:

• Legal Requirements: We are required by law, regulation, legal process, or valid government request.
• Business Transfers: In connection with a merger, acquisition, or sale of assets, your information may transfer as part of that transaction. We will notify you of any such transfer and any change in this policy.
• With Your Consent: You explicitly authorize disclosure to a third party.

Biometric and Face Data

Some of our features (face detection for automatic photo placement, optional background removal) involve processing photos that may contain identifiable faces. We use this data only to compute layout for your renders. We do not use face data to identify individuals, do not build face-recognition profiles, and do not share face data with third parties beyond the subprocessors listed above. If you reside in Illinois (BIPA), Texas (CUBI), Washington, or another jurisdiction with specific biometric-data laws, additional rights may apply — contact us at contact@templified.io to exercise them.

4. Data Storage and Security

Your data is stored on servers provided by Amazon Web Services (AWS) in the United States. We implement industry-standard security measures, including encryption in transit (TLS) and at rest, to protect your information. However, no method of transmission or storage is 100% secure.

5. Data Retention

We retain your account information and content for as long as your account is active or as needed to provide the Service. If you delete your account, we will delete or anonymize your personal data within 30 days, except as follows:

• Billing and tax records: Invoices, receipts, balance ledger entries, and related financial records are retained for at least seven (7) years to comply with U.S. tax and accounting obligations.
• Backups: Data may persist in encrypted, time-limited backups for up to 35 days after deletion, after which it is overwritten.
• Legal holds: Data subject to a legal hold, dispute, or regulatory request will be retained until the matter is resolved.

Anonymized or aggregated data that no longer identifies you may be retained indefinitely.

6. Your Rights

Depending on your location, you may have the following rights:

• Access the personal information we hold about you.
• Request correction of inaccurate information.
• Request deletion of your personal information.
• Object to or restrict certain processing of your data.
• Request a portable copy of your data in a structured, machine-readable format.
• Withdraw consent at any time, where we rely on consent as the legal basis for processing.
• Lodge a complaint with a data protection authority.

EU / UK Residents (GDPR)

If you are in the European Economic Area, the United Kingdom, or Switzerland, the General Data Protection Regulation (GDPR) and equivalent UK/Swiss laws apply. Our legal bases for processing are: (a) performance of a contract (operating the Service for you), (b) legitimate interests (security, fraud prevention, product improvement), and (c) consent (optional features such as marketing emails). You have the right to lodge a complaint with your local data protection authority.

California Residents (CCPA/CPRA)

If you are a California resident, you have the rights described above plus the right to (a) know what personal information we collect and how it is used, (b) opt out of the "sale" or "sharing" of personal information (we do not sell or share, but you may submit a request anyway), and (c) limit use of sensitive personal information. We do not use sensitive personal information for any purpose other than providing the Service. You may also designate an authorized agent to exercise these rights on your behalf.

Other U.S. State Laws

Residents of Virginia, Colorado, Connecticut, Utah, Texas, and other states with comprehensive privacy laws have substantially similar rights and may exercise them by contacting us as described below.

Global Privacy Control (GPC)

We honor browser-level Global Privacy Control (GPC) signals as an opt-out of any "sale" or "sharing" of personal information, where applicable.

Exercising Your Rights

To exercise any of these rights, contact us at contact@templified.io. We will respond within the timeframe required by applicable law (typically 30–45 days) and will not retaliate against you for exercising your rights.

7. Children's Privacy

The Service is not directed to children under 18. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us and we will delete it.

8. International Users

If you access the Service from outside the United States, your information will be transferred to and processed in the United States. By using the Service, you consent to this transfer.

9. Third-Party Links

The Service may contain links to third-party websites or services. We are not responsible for the privacy practices of those third parties. We encourage you to review their privacy policies.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page with a new effective date. Your continued use of the Service constitutes acceptance of the updated policy.

11. Contact Us

If you have questions about this Privacy Policy, please contact us at:

Glossy Finish, LLC
Email: contact@templified.io